US officials warned major pipelines to secure systems before Colonial attack

For more than two years before the Colonial petroleum pipeline shutdown on Friday, US officials repeatedly warned major pipelines that they were increasingly vulnerable to hackers as they moved their operations online.

As recently as February 2020, US cyber security officials warned of an attack on an unnamed natural gas compression facility that mirrored some of the problems faced by Colonial.

In that case, hackers broke into the back-office network and moved into its operations control system, locking up computers on both sides and leaving staff unable to see data from the facility, which had to be shut down.

Officials warned at the time that pipelines should keep their back office separate from their operations. It was useful advice for Colonial Pipeline, whose 5,500 miles of pipes supply half the fuel used by the US east coast.

But on Monday, the White House confirmed that a similar scenario had played out at Colonial, forcing it to shut itself down to ensure that hackers “could not migrate from business computer systems to those that control and operate the pipeline”.

Sujeet Shenoi, professor of computer science at the University of Tulsa and a former nuclear engineer, said that hackers often found the easiest people to attack were in the back office, and that some critical infrastructure companies now had a three-strike rule for employees who breached cyber security procedures.

He added that infrastructure companies had moved quickly to digitise their operations, but had not fully woken up to the scale of the risk of connecting their corporate IT systems to their operational control systems. “This is like a 9/11 and more. Critical infrastructure groups are not ready to respond.”

The Department of Homeland Security set up the Pipeline Cybersecurity Initiative in October 2018 to try to protect more than 2.7m miles of oil and gas pipelines from attack as their owners started to connect them to the internet so that they could monitor operations remotely.

Like its peers, Colonial Pipeline has spent years transforming itself from a traditional utility into a data-driven, digital company. Major pipelines increasingly rely on computers to monitor flows and pressure and flag any safety problems.

One case study showed how Colonial increased safety observations by 900 per cent between 2017 and 2019 by using software to check its systems, rather than humans with clipboards.

“Colonial is in the midst of a digital transformation. At Colonial, digital transformation goes well beyond technology — the company is transforming processes, culture and the way it does business,” the document stated.

Other major pipeline operators contacted by the Financial Times, including TC Energy, Energy Transfer and Enbridge, said they remained confident in the capabilities of their cyber security systems after investing heavily in the space. 

While it is unclear how exactly the attackers first gained entry to Colonial’s network, the case has laid bare the growing sophistication of the numerous criminal ransomware groups, which typically seize victims’ data or systems by infecting them with malicious software, before demanding a payout in order to release it. 

Allan Liska of Recorded Future’s computer security incident response team, said that part of its success is derived from “trial and error” in that over the years it has attacked “hundreds of networks”. Some have become more enterprising recently; for example, one group typically starts reaching out to its victims’ customers if a victim refuses to pay; others, including DarkSide, also rent out their technology to affiliates.

It is unclear how President Joe Biden will proceed as he prepares to meet Vladimir Putin, Russia’s president, next month. Biden said that there was “no evidence” of Moscow’s direct involvement in the attack but added that Russia had “some responsibility to deal with this” given DarkSide’s perceived roots. 

Liska said Moscow tended to tacitly allow ransomware gangs to operate there and in return those groups “don’t attack victims in Russia and Russian-aligned companies”. Indeed, last month, the US Treasury accused one of Russia’s intelligence services, the FSB, of harbouring, “cultivating and co-opting” the notorious ransomware group Evil Corp. 

Either way, pressure is increasing on the administration to take action. “Ransomware exploits have recently taken a more disturbing turn,” said Philip Quade, chief information security officer at Fortinet. “The use of ransomware as a means to assert strategic influence — threaten the reliability of critical infrastructures for instance — elevates ransomware from being a mere scourge to a matter of national importance.”

“I fully expect DarkSide to shortly experience the full extent of [US intelligence community and department of defense] precision tactical deterrent capabilities,” said William Evanina, former director of the National Counterintelligence and Security Center and chief executive of The Evanina Group. 

Additional reporting by Katrina Manson in Washington